Hello.
I'm running Fail2Ban and Cyrus IMAP on FreeBSD, but f2b is not picking
up failed login attempts.
I know this has been object of several (all closed) bug reports in the
past, but those did not help me.
In the logs I have lots of line like:
Oct 28 17:42:02 zzzz imaps[93940]: badlogin: [x.x.x.x] plaintext yyyyyyy
SASL(-13): authentication failure: checkpass failed
In filter.d/cyrus-imap.conf, I have:
_daemon = (?:cyrus/)?(?:imap(d|s)?|pop3(d|s)?)
failregex = ^%(__prefix_line)sbadlogin: [^\[]*\[<HOST>\] \S+ .*?\[?SASL\(-13\):
(authentication failure|user not found): .*\]?$
ignoreregex =
Should this regex pick up those lines?
I tried to debug this, but perhaps I'm too noob:
# fail2ban-regex "Oct 28 17:42:02 zzzz imaps[93940]: badlogin: [1.2.3.4] plaintext yyyyyyy
SASL(-13): authentication failure: checkpass failed" '^%(__prefix_line)sbadlogin:
[^\[]*\[<HOST>\] \S+ .*?\[?SASL\(-13\): (authentication failure|user not found): .*\]?$'
...
Lines: 1 lines, 0 ignored, 0 matched, 1 missed
Is it because "%(__prefix_line)" is not known in this context?
So I tried:
# fail2ban-regex "Oct 28 17:42:02 zzzz imaps[93940]: badlogin: [1.2.3.4] plaintext yyyyyyy
SASL(-13): authentication failure: checkpass failed" 'badlogin: [^\[]*\[<HOST>\] \S+
.*?\[?SASL\(-13\): (authentication failure|user not found): .*\]?$'
...
Lines: 1 lines, 0 ignored, 1 matched, 0 missed
Since this matched, I tried removing "^%(__prefix_line)" from
filter.d/cyrus-imap.conf, but still fail2ban won't block anything.
Any hint on what to try next?
bye & Thanks
av.
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
